Adobe releases third security update this month for Flash Player

Latest advisory assigns top priority rating to Windows and Mac users.

Adobe has released an emergency security update for its widely used Flash media player to patch a vulnerability being actively exploited on the Internet. The company is advising Windows and Mac users to install it in the next 72 hours.

An advisory the software company issued on Tuesday said only that affected Flash flaws "are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content." It identified the bugs as CVE-2013-0643 and CVE-2013-0648 as indexed in the common vulnerabilities and exposures database. The advisory added the exploits targeted the Firefox browser. A spokeswoman said no other attack details are available.

Adobe's advisory assigns a priority rating of 1 to Flash versions that run on Microsoft Windows or Mac OS X computers. The rating is reserved for "vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild." The priority for Linux users carries a rating of 3, which is used to designate "vulnerabilities in a product that has historically not been a target for attackers."

Recent versions of Flash are equipped to receive and install updates automatically, but there can sometimes be a delay before the mechanism is triggered. Those who don't want to wait can download the updates here.

Whitelist your Java and Flash players. Do it now. If your browser can't do that, switch browsers or uninstall both plugins.

IF YOU HAVE FLASH AND/OR JAVA PLUGINS ENABLED IN THE BROWSER, AND YOU SURF RANDOM SITES, AND YOU ARE A LOCAL ADMIN, ODDS ARE THAT YOUR COMPUTER IS ALREADY COMPROMIZED.

Okay? There isn't a font big enough to emphasize that.

In IE: options > safety > active-x filtering. That will disable plugins for all sites, and then you can explicitly enable for sites you cannot live without. Like Youtube for example. While you are in the Safety menu, look at the Tracking Protection. Some nice things in there.

Are you freaking kidding me? I've had to update over 200 laptops this past week TWICE and NOW I've got to do it again (I know, crying in my beer).

Was Jobs right or was he RIGHT!?!

When you install or update Flash, click that box that lets it install future updates by itself. I've almost universally had that work as advertised - I just sent an e-mail to all my users asking them to leave the PCs running overnight, which should just about guarantee they auto-install this update.

When you install or update Flash, click that box that lets it install future updates by itself. I've almost universally had that work as advertised - I just sent an e-mail to all my users asking them to leave the PCs running overnight, which should just about guarantee they auto-install this update.

The first fix this month worked automatically for me and I was actually shocked to notice it worked. The second time apparently was back to business as usual, which means informing me that there was an update which I can download from their webpage bundled crapware if I don't actively uncheck it. Considering that I skipped the last update, as I didn't even realize it was a security fix, I guess I might not get any update information now.

I wonder whether Adobe, Oracle and others could be troubled to put in mechanisms for blacklisting URLs that host the malicious SWFs. I mean, the first request for a file each hour could check an Adobe.Com URL for a blacklist update date that's higher than the one known locally, which would trigger a small (?) update to the local blacklist database.

A nifty option would be an alert that there were unpatched zero-day flaws, maybe even asking before any SWF was displayed.

This would potentially reduce zero-day flaws to being effective only for a couple of hours, tops. While it would be a threat to the revenue streams of those who run Flash ads, it'd seem to make exploits MUCH less profitable.

Might do a bit of good for Adobe's reputation, too. That wouldn't hurt their business, either.

I know everyone's bashing on how frequently Adobe is updating Flash (and rightfully so, for the most part), but at least they are releasing frequent updates? I much prefer this to the dragging-their-feet style update style they could also pursue if they were so inclined.

Thanks to the hard work and courage of the late Steve Jobs, Flash is probably 1-2 years closer to death than it would have been had Apple prioritized it for their mobile platform the way RIM and others did. And that's a good thing. The sooner flash goes to oblivion the better.

When you install or update Flash, click that box that lets it install future updates by itself. I've almost universally had that work as advertised - I just sent an e-mail to all my users asking them to leave the PCs running overnight, which should just about guarantee they auto-install this update.

When you install or update Flash, click that box that lets it install future updates by itself. I've almost universally had that work as advertised - I just sent an e-mail to all my users asking them to leave the PCs running overnight, which should just about guarantee they auto-install this update.

Your end-users have local admin rights?

The Flash autoupdater runs as a service that turns on every few hours to check for an update. The end user doesn't need admin rights.

The Flash autoupdater runs as a service that turns on every few hours to check for an update. The end user doesn't need admin rights.

This has never quite worked for us. Incremental updates go through fine (usually), but major updates (i.e. 11.x) prompt the user and require escalated privileges.

The end result is that users end up on old, unsupported releases, despite the supposed automatic updates. A proper patch management system (e.g. one built on WSUS) is the only solution I've found that works consistently.

Are you freaking kidding me? I've had to update over 200 laptops this past week TWICE and NOW I've got to do it again (I know, crying in my beer).

Was Jobs right or was he RIGHT!?!

If you have 200 machines, you should be backed by a WSUS server, along with Local Update Publisher to push out updates to things like Flash and Java. Your life will be easier.

Or if you don't want to do that, turn on the autoupdater for Flash.

This.I use this exact solution to keep 800+ devices across 11 sites upto date. Anything else (other than maybe SCCM) is harder than it should be.

Make your life easier and go with WSUS & Local Update Publisher.

As an end user, one problem I have found with WSUS is that all the additional drivers that companies now send to Microsoft to be included in the updates do not exist on my local WSUS server. Because of this, I cannot get the latest HP drivers for the printer that we have as it is only available through MS update.

I don't understand why there is so many security updates to flash. You would think they would have noticed some patterns by now to these exploits and gone through and proactively fixed them. Plus as far as I know there hasn't been a useful feature added to flash in like 7-8 years. What are they adding that's being exploited?

None of the new features to Flash are really user-visible, except maybe hardware acceleration. It's all about the developer. When you change, the guts, no one notices. No one really notices when the product is literally just a channel for other people's content either.

I don't understand why there is so many security updates to flash. You would think they would have noticed some patterns by now to these exploits and gone through and proactively fixed them. Plus as far as I know there hasn't been a useful feature added to flash in like 7-8 years. What are they adding that's being exploited?

There isn't a finite number of exploits- if you have read "The Mythical Man Month" you have come across the concept that in a sufficiently complex piece of code there is a certain irreducible number of bugs, below which any attempt to correct a bug would only introduce another. It would seem that flash is suitably complex. While there is no way to eliminate this problem, you can change the fundamental design of your app so that the irreducible number is lower. Other newer platforms have generally done so.